U.S. states probe VTech hack, experts warn of more attacks

BOSTON/HONG KONG (Reuters) - U.S. states said they will investigate a massive breach at digital toy maker VTech Holdings Ltd as security experts warned that hackers are likely to target similar companies that handle customer data.

Attorneys general in the U.S. states of Connecticut and Illinois said on Monday that they would probe the breaches, though their representatives declined comment on the focus of their inquiries.

The Hong Kong-based toymaker disclosed the attack on Friday, saying information about nearly 5 million adults and children had been stolen in an attack on a portal used to download games to its computer tablets.

Hong Kong Privacy Commissioner for Personal Data Stephen Wong said his office had initiated a “compliance check” on VTech to see if the company had followed data privacy principles.

Technology news site Motherboard reported on Friday that the data belonging to some 4.8 million adults and more than 200,000 children. VTech did not break out the number of children affected.

Motherboard reported on Monday that the hackers also stole photos and chat logs from VTech's Kid Connect service, which allows adults to use their smartphones to chat with kids using VTech tablet. (bit.ly/1XCLIjU)

VTech did not respond to requests for comment on the state probes or the Motherboard reports, which Reuters could not independently verify. Hong Kong’s Cyber Security and Technology Crime Bureau said it did not receive any report from VTech.

Privacy Commissioner Wong also said there is not yet “adequate or sufficient information” to say whether children had specifically been targeted in the VTech hack.

VTech's products are seen on display at a toy store in Hong Kong, China November 30, 2015. Shares of electronic toy maker VTech Holdings Ltd were suspended from trade on Monday after customer data was stolen in a cyber attack, sparking concern over the loss of information relating to children. REUTERS/Tyrone Siu

Meanwhile, some experts said that they expect to see more breaches involving information collected through digital toys and other web-connected devices, a category of products known in tech circles as the Internet of Things, or IoT.

They said that manufacturers in many industries lack the security experience and expertise that the computer industry has developed over the surge in Internet use over the past two decades.

“You have all these devices and services that are connecting to the Internet by companies that don’t have the experience that older software companies do in securing their data,” said Katie Moussouris, chief policy officer with HackerOne, a “bug bountgy” firm that helps businesses work with researchers to find cyber bugs.

“VTech is a toymaker and I don’t expect them to be security superstars. They are amateurs in the field of security,” said Tod Beardsley, security research manager with Rapid7 Inc.

Toy manufacturers lack rigor in secure software development, said Chris Eng, vice president of research at security software maker Veracode. They are ”inevitably going to fall short on security,” he said.

Larry Salibra, chief executive of bug-testing platform provider Pay4Bugs, said that it looks like VTech failed to properly secure sensitive data by encrypting it to be difficult to unscramble and useless if stolen.

Motherboard said it spoke to a hacker who claimed to be behind the attack and said he planned to do “nothing” with the data.